What is cyberspace and how important it is? Mike Sopp summarises how new threats can affect health and safety professionals, and advises on preventive action.
Cyberspace and cyberattacks
Cyberspace is the term used to describe the electronic medium of digital networks used to store, modify and communicate information. It includes the internet as well as other systems used to support businesses.
Cyberspace is an integral part of modern society and the systems associated with it can bring many benefits to businesses in terms of efficiencies and effectiveness.
It can be stated with some confidence that cyberattacks are becoming the number one threat to many organisations, particularly as the world becomes more connected through cloud services and the Internet of Things.
For those responsible for an organisation’s health and safety management functions, cyberattacks may not be high on the agenda of risks to be managed. However, as the Health and Safety Executive’s (HSE) business plan for 2018/19 notes, “cyber security is becoming a bigger issue across all sectors”. One of its key strategic priorities is to ensure the threat from cybersecurity is adequately addressed in high-hazard businesses.
What are cyber threats?
There are a number of potential “hostile” or “threat actors” who intend to use cyberspace for malicious purposes, be this for terrorism activity, other forms of crime or state/industrial espionage.
These threat actors include criminals, terrorists, so-called “hacktivists” and even foreign states. Obviously, their relative resources, capabilities and motivations will vary depending on the particular profile.
It is often thought, from a cybersecurity perspective, that threat actors will typically be an outsider to the organisation. However, such activity may also be perpetrated by insiders, former insiders or those from outside working in collusion with an insider. This will include both direct employees and those from the supply chain with access to relevant systems.
The motivation for cyberattacks can be complex but include ideological reasons, personal financial reward, revenge, need (eg debt), conveyance of a political message, etc.
In order for a successful attack, there needs to be an intersection of:
capability — whether the attacker has the skills and resources required to mount an attack
intent — if the target has value to the attacker and furthers their mission/objectives
How do cyberattacks work?
There are several methods of cyberattack utilised by threat actors. The UK National Cyber Security Centre (NCSC) at www.ncsc.gov.uk publishes detailed information on the various methods used but, in summary, the most common attacks are as follows.
Phishing attack — where the threat actor poses as a trusted third party by email and requests personal data. This can also be used as a way to deliver documents which, when opened and macros enabled, can cause further malicious software to be downloaded and installed. This is often the first stage in a more complex attack process which enables attackers to gain an initial foothold in the IT systems.
Ransom attack — where the threat actor (hacker) compromises one or more systems encrypting the data and blocking an organisation’s access until a ransom is paid (ransomware). An example of this is the WannaCry attack which crippled the NHS in May 2017. This attack was recently recently attributed to the North Korean Government by the FBI.
Distributed Denial of Service (DDoS) attack — where high volumes of data/traffic are sent to a site or system to deliberately overload that system and make it unavailable. This can also come with a ransom demand.
Virus or malware attack — these include Trojans, viruses and worms entering the system unexpectedly, eg through email attachments or when a certain link is clicked on. They run software that steals data, installs ransomware or destroys information on the system.
Password attack — there are two key areas of password attacks: a) where someone has reused their password on another system (say Yahoo mail, or other public website). If this system is hacked the password can be easily tested against other systems or websites; b) weak passwords can often easily be guessed by running computer programs that test thousands of passwords a second.
It is worth noting that the NCSC, in its most recent report on cyber threats to UK business, highlights the threat posed by the supply chain. This includes compromises to managed service providers (to gain access to data) and the exploitation of products prior to their supply.
The health and safety context
No matter how an attack occurs, the consequences to an organisation can involve significant financial loss and reputational damage. It can also result in other risks materialising, including those related to health and safety.
From a health and safety context, cyberattacks can be grouped into three distinct areas, as follows.
Attacks on Industrial Automation Control Systems (IACS) resulting in physical risks.
Attacks resulting in the loss, unauthorised access to, destruction, or other unintended use of electronic information and data.
Attacks resulting in the disruption of operations caused by the loss or interruption of electronic systems and networks such as Building Management Systems.
Attacks on IACS
Industrial Automation Control Systems can include electrical, control and instrumentation systems, emergency shutdown systems, and fire and gas systems. All have safety critical applications.
In early 2017, the HSE published Cyber Security for Industrial Automation and Control Systems. Aimed at major hazard workplaces, the publication recognises that threats can originate not only from system networks but also software upgrades, maintenance activities and unauthorised access.
This document notes that IACS are increasingly merging with corporate systems and, together with the increased use of non-proprietary systems, “has led to modern IACS becoming potentially more vulnerable to cyberattack”.
Such an attack on an IACS could have significant safety implications. In December 2014 a malicious actor infiltrated a German steel facility. The adversary used a spear phishing email to gain access to the corporate network and then moved into the plant network. According to reports, the adversary showed knowledge in IACS and was able to cause multiple components of the system to fail.
They specifically targeted critical process components, succeeding in preventing a blast furnace from initiating its security settings when it should, which resulted in massive physical damage. This could have become a safety critical event, given the hazardous nature of the processes and materials involved.
Attacks on sensitive data
A cyberattack could have serious repercussions even in organisations that are not major hazard industries. Health and safety management systems can create considerable volumes of documentation containing sensitive business-related information as well as personal data relating to employees or other persons.
Personal data can include information on accident/incident reporting forms, occupational health reports, etc. With ever-increasing use of online reporting systems and outsourced occupational health services, the potential for cyberattack is clear.
The recently introduced General Data Protection Regulations requires the duty holder to hold personal data securely and states that data shall be “processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing”.
Failure to protect sensitive health and safety data and its subsequent loss or theft could incur investigation and prosecution by the Information Commissioner’s Office. Fines can be imposed up to €20 million or 4% of an organisation’s turnover.
There may also be data relating to health and safety that is commercially sensitive that the organisation may wish to keep out of the public domain. The unauthorised access and subsequent release of such data may cause considerable commercial and reputational damage to the organisation.
In addition to the above, other consequences of the loss of general health and safety information could include the following.
Resources may have to be invested to ensure that lost documentation and information is replaced (eg risk assessments having to be undertaken again).
Defence against prosecution or civil litigation may be weakened due to an inability to provide evidence of previous good health and safety management where documentation is permanently lost.
Lost historical data that could assist in identifying and developing future risk control measures would leave a knowledge gap.
Preventing access to databases containing vital safety information due to a cyberattack must also be considered. For example, organisations interacting with the public often utilise databases detailing potentially violent service users. If access to this database is compromised, it could create additional risks to employees.
Attacks on BMS
The third area that can have health and safety implications can be described as operational. Building Management Systems (BMS), either standalone or integrated, can form part of many health and safety risk control systems. These systems control several environmental factors (eg ventilation, lighting, power, fire and security systems, etc).
As an example, many organisations now use automated access control systems as a security measure to protect employees and prevent unauthorised access to certain premises. A cyberattack has the potential to override such systems, putting employees at risk from those gaining unauthorised access.
Similarly, a breakdown in communication systems, such as those for lone workers, may again put employees at increased risk.
How to manage cybersecurity
Organisations should be looking at cyber threats in relation to health and safety and ensuring that these are addressed in their overall corporate approach to cybersecurity.
The interconnected relationship between cyberspace risks and those associated with health and safety is an emerging and dynamic relationship. An organisation currently managing cyber threats will be able to integrate the necessary control measures to cover health and safety.
The overall approach recommended by the NCSC is based upon the following 10 principles.
Embed an appropriate risk regime across the organisation to ensure all stakeholders (employees, contractors and suppliers) are aware of the way cyber threats will be managed.
Improve security of systems by the removal or disablement of unnecessary functionality and fix vulnerabilities.
Ensure network security through an appropriate system architectural and technical response, taking into account partners’ networks, cloud services, remote working needs, etc.
Manage users’ privileges to access systems and data using the principle of minimal access.
Improve the cybersecurity culture in your organisation by ensuring that users are educated and trained on the relevant threats and associated security measures.
Improve resilience through appropriate procedures to respond to any cyberattack including business continuity planning.
Prevent malware through anti-malware policies and procedures as part of a in-depth defensive approach.
Monitor systems to detect actual or attempted attacks at an early stage.
Control the use of removable media such as USB sticks through policies and security controls.
Establish risk policies and procedures that support mobile/remote working and train users on the safe use of mobile devices.
Clearly, the above principles can be applied to any cyberspace system and those used for health and safety purposes are no different.
In support of the above, the HSE publication on IACS cybersecurity recommends that a “cybersecurity management system” is implemented and incorporated into the wider safety management system.
The Information Commissioner’s Office guidance on data protection also very much reflects the NCSC principles of management systems to ensure appropriate cybersecurity measures are taken.
The role of the H&S practitioner in cyber safety
It is worth noting that the NCSC guidance, HSE publication and ICO guidance all focus on the overall management system required to ensure “cyber safety” and do not in any way suggest that health and safety practitioners (or other risk specialists) should be experts in cybersecurity.
Just as most health and safety practitioners work from an advisory position to enable others within the organisation to manage risks, cybersecurity may need the input of a competent cyber risk specialist to support those who have responsibility for managing systems.
The role of the health and safety practitioner is to assist in identifying the systems being used directly for health and safety management — or that could have an impact on health and safety should they be attacked — and to work with IT security specialists to ensure these remain secure in cyberspace.
What is important is the partnership between the business and the IT security function to fully consider the risks. This is usually done through three lenses.
Confidentiality — what is the impact if the data in the systems were to be stolen or published?
Integrity — what is the impact if someone could change the system (this is a big area for health and safety and control systems)?
Availability — what is the impact if the system is taken offline for a period of time? Can the business operate without it, and if so for how long?
• Your topic Information Protection and Cyber Security.
• National Crime Agency, www.nationalcrimeagency.gov.uk .
This organisation works to protect the public from the most serious threats from organised crime. See the 2017-2018 report The Cyber Threat to UK Business, published in conjunction with the NCSC.
• National Cyber Security Centre, www.ncsc.gov.uk.
The NSCS was set up to protect the UK from cyberattacks, manage major incidents and improve security through technological advancement and advice. It offers a wealth of guidance, services and resources for businesses, as well as weekly threat reports on current threat intelligence.